Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 10. Troubleshooting authentication with smart cards

You can diagnose smart card failures by systematically validating hardware recognition, service status, and certificate validity to resolve common configuration issues to restore secure access.

10.1. Testing smart card access on the system
Copy link

Verifying hardware connectivity is the first step in troubleshooting. Use system utilities such as lsusb and pkcs11-tool to confirm the reader is active and that the operating system can read the smart card’s contents.

Prerequisites

  • You have installed and configured your IdM Server and client for use with smart cards.
  • You have installed the certutil tool from the nss-tools package.
  • You have the PIN or password for your smart card.

Procedure

  1. Using the lsusb command, verify that the smart card reader is visible to the operating system: 

    $ lsusb
    Copy to Clipboard Toggle word wrap 
    Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 003: ID 072f:b100 Advanced Card Systems, Ltd ACR39U
Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
    Copy to Clipboard Toggle word wrap

    For more information about the smart cards and readers tested and supported in RHEL, see Smart Card support in RHEL 10.

  2. Ensure that the pcscd service and socket are enabled and running: 

    $ systemctl status pcscd.service pcscd.socket
    Copy to Clipboard Toggle word wrap 
    ● pcscd.service - PC/SC Smart Card Daemon
      Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect;
vendor preset: disabled)
      Active: active (running) since Fri 2021-09-24 11:05:04 CEST; 2
weeks 6 days ago
TriggeredBy: ● pcscd.socket
        Docs: man:pcscd(8)
    Main PID: 3772184 (pcscd)
       Tasks: 12 (limit: 38201)
      Memory: 8.2M
         CPU: 1min 8.067s
      CGroup: /system.slice/pcscd.service
              └─3772184 /usr/sbin/pcscd --foreground --auto-exit

● pcscd.socket - PC/SC Smart Card Daemon Activation Socket
      Loaded: loaded (/usr/lib/systemd/system/pcscd.socket; enabled;
vendor preset: enabled)
      Active: active (running) since Fri 2021-09-24 11:05:04 CEST; 2
weeks 6 days ago
    Triggers: ● pcscd.service
      Listen: /run/pcscd/pcscd.comm (Stream)
      CGroup: /system.slice/pcscd.socket
    Copy to Clipboard Toggle word wrap

  3. Using the p11-kit list-modules command, display information about the configured smart card and the tokens present on the smart card: 

    $ p11-kit list-modules
    Copy to Clipboard Toggle word wrap 
    p11-kit-trust: p11-kit-trust.so
[...]
opensc: opensc-pkcs11.so
    library-description: OpenSC smartcard framework
    library-manufacturer: OpenSC Project
    library-version: 0.20
    token: MyEID (sctest)
        manufacturer: Aventra Ltd.
        model: PKCS#15
        serial-number: 8185043840990797
        firmware-version: 40.1
        flags:
               rng
               login-required
               user-pin-initialized
               token-initialized
    Copy to Clipboard Toggle word wrap

  4. Verify you can access the contents of your smart card: 

    $ pkcs11-tool --list-objects --login
    Copy to Clipboard Toggle word wrap 
    Using slot 0 with a present token (0x0)
Logging in to "MyEID (sctest)".
Please enter User PIN:
Private Key Object; RSA
  label:      Certificate
  ID:         01
  Usage:      sign
  Access:     sensitive
Public Key Object; RSA 2048 bits
  label:      Public Key
  ID:         01
  Usage:      verify
  Access:     none
Certificate Object; type = X.509 cert
  label:      Certificate
  subject:    DN: O=IDM.EXAMPLE.COM, CN=idmuser1
  ID:         01
    Copy to Clipboard Toggle word wrap

  5. Display the contents of the certificate on your smart card using the certutil command:

    1. Run the following command to determine the correct name of your certificate: 

      $ certutil -d /etc/pki/nssdb -L -h all
      Copy to Clipboard Toggle word wrap 
      Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Enter Password or Pin for "MyEID (sctest)":
Smart Card CA 0f5019a8-7e65-46a1-afe5-8e17c256ae00           CT,C,C
MyEID (sctest):Certificate                                   u,u,u
      Copy to Clipboard Toggle word wrap

    2. Display the contents of the certificate on your smart card:

      Note

      Ensure the name of the certificate is an exact match for the output displayed in the previous step, in this example MyEID (sctest):Certificate. 

      $ certutil -d /etc/pki/nssdb -L -n "MyEID (sctest):Certificate"
      Copy to Clipboard Toggle word wrap 
      Enter Password or Pin for "MyEID (sctest)":
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 15 (0xf)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=Certificate Authority,O=IDM.EXAMPLE.COM"
        Validity:
            Not Before: Thu Sep 30 14:01:41 2021
            Not After : Sun Oct 01 14:01:41 2023
        Subject: "CN=idmuser1,O=IDM.EXAMPLE.COM"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    [...]
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Authority Key Identifier
            Key ID:
                e2:27:56:0d:2f:f5:f2:72:ce:de:37:20:44:8f:18:7f:
                2f:56:f9:1a

            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location:
                URI: "http://ipa-ca.idm.example.com/ca/ocsp"

            Name: Certificate Key Usage
            Critical: True
            Usages: Digital Signature
                    Non-Repudiation
                    Key Encipherment
                    Data Encipherment

            Name: Extended Key Usage
                TLS Web Server Authentication Certificate
                TLS Web Client Authentication Certificate

            Name: CRL Distribution Points
            Distribution point:
                URI: "http://ipa-ca.idm.example.com/ipa/crl/MasterCRL.bin"
                CRL issuer:
                    Directory Name: "CN=Certificate Authority,O=ipaca"

            Name: Certificate Subject Key ID
            Data:
                43:23:9f:c1:cf:b1:9f:51:18:be:05:b5:44:dc:e6:ab:
                be:07:1f:36

    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
        [...]
    Fingerprint (SHA-256):
        6A:F9:64:F7:F2:A2:B5:04:88:27:6E:B8:53:3E:44:3E:F5:75:85:91:34:ED:48:A8:0D:F0:31:5D:7B:C9:E0:EC
    Fingerprint (SHA1):
        B4:9A:59:9F:1C:A8:5D:0E:C1:A2:41:EC:FD:43:E0:80:5F:63:DF:29

    Mozilla-CA-Policy: false (attribute missing)
    Certificate Trust Flags:
        SSL Flags:
            User
        Email Flags:
            User
        Object Signing Flags:
            User
      Copy to Clipboard Toggle word wrap

SSSD manages the authentication flow between the smart card and the identity provider. Administrators analyze SSSD logs and use sssctl to diagnose failures in the pam or krb5 child processes when login attempts fail.

Prerequisites

  • You have installed and configured your IdM Server and client for use with smart cards.
  • You have installed the sssd-tools package.
  • You are able to detect your smart card reader and display the contents of your smart card. See Testing smart card access on the system.

Procedure

  1. Verify you can authenticate with your smart card using su: 

    $ su - idmuser1 -c ‘su - idmuser1 -c whoami'
    Copy to Clipboard Toggle word wrap 
    PIN for MyEID (sctest):
idmuser1
    Copy to Clipboard Toggle word wrap

    If you are not prompted for the smart card PIN, and either a password prompt or an authorization error are returned, check the SSSD logs. See Troubleshooting authentication with SSSD in IdM for information about logging in SSSD. The following is an example of an authentication failure: 

    $ su - idmuser1 -c ‘su - idmuser1 -c whoami'
    Copy to Clipboard Toggle word wrap 
    PIN for MyEID (sctest):
su: Authentication failure
    Copy to Clipboard Toggle word wrap

    If the SSSD logs indicate an issue from the krb5_child, similar to the following, you may have an issue with your CA certificates. To troubleshoot issues with certificates, see Verifying that IdM Kerberos KDC can use Pkinit and that the CA certificates are correctly located. 

    [Pre-authentication failed: Failed to verify own certificate (depth 0): unable to get local issuer certificate: could not load the shared library]
    Copy to Clipboard Toggle word wrap

    If the SSSD logs indicate a timeout either from p11_child or krb5_child, you may need to increase the SSSD timeouts and try authenticating again with your smart card. See Increasing SSSD timeouts for details on how to increase the timeouts.

  2. Verify your GDM smart card authentication configuration is correct. A success message for PAM authentication should be returned as shown below: 

    # sssctl user-checks -s gdm-smartcard "idmuser1" -a auth
    Copy to Clipboard Toggle word wrap 
    user: idmuser1
action: auth
service: gdm-smartcard

SSSD nss user lookup result:
 - user name: idmuser1
 - user id: 603200210
 - group id: 603200210
 - gecos: idm user1
 - home directory: /home/idmuser1
 - shell: /bin/sh

SSSD InfoPipe user lookup result:
 - name: idmuser1
 - uidNumber: 603200210
 - gidNumber: 603200210
 - gecos: idm user1
 - homeDirectory: /home/idmuser1
 - loginShell: /bin/sh

testing pam_authenticate

PIN for MyEID (sctest)
pam_authenticate for user [idmuser1]: Success

PAM Environment:
 - PKCS11_LOGIN_TOKEN_NAME=MyEID (sctest)
 - KRB5CCNAME=KCM:
    Copy to Clipboard Toggle word wrap

    If an authentication error, similar to the following, is returned, check the SSSD logs to try and determine what is causing the issue. See Troubleshooting authentication with SSSD in IdM for information about logging in SSSD. 

    pam_authenticate for user [idmuser1]: Authentication failure

PAM Environment:
 - no env -
    Copy to Clipboard Toggle word wrap

    If PAM authentication continues to fail, clear your cache and run the command again. 

    # sssctl cache-remove
    Copy to Clipboard Toggle word wrap 
    SSSD must not be running. Stop SSSD now? (yes/no) [yes] yes
Creating backup of local data…
Removing cache files…
SSSD needs to be running. Start SSSD now? (yes/no) [yes] yes
    Copy to Clipboard Toggle word wrap

Successful PKINIT authentication relies on a valid certificate chain. You can use kinit and openssl to verify that the client trusts the Certificate Authority and that the smart card certificate is valid for Kerberos ticket retrieval.

Prerequisites

  • You have installed and configured your IdM Server and client for use with smart cards.
  • You are able to detect your smart card reader and display the contents of your smart card. See Testing smart card access on the system.

Procedure

  1. Run the kinit utility to authenticate as the idmuser1 with the certificate stored on your smart card: 

    $ kinit -X X509_user_identity=PKCS11: idmuser1
    Copy to Clipboard Toggle word wrap 
    MyEID (sctest)                   PIN:
    Copy to Clipboard Toggle word wrap
  2. Enter your smart card PIN. If you are not prompted for your PIN, check that you can detect your smart card reader and display the contents of your smart card. See link:https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10/html/managing_smart_card_authentication/troubleshooting-authentication-with-smart-cards#testing-smart-card-access-on-the-system

  3. If your PIN is accepted and you are then prompted for your password, you might be missing your CA signing certificate.

    1. Verify the CA chain is listed in the default certificate bundle file using openssl commands: 

      $ openssl crl2pkcs7 -nocrl -certfile /var/lib/ipa-client/pki/ca-bundle.pem | openssl pkcs7 -print_certs -noout
      Copy to Clipboard Toggle word wrap 
      subject=O = IDM.EXAMPLE.COM, CN = Certificate Authority

issuer=O = IDM.EXAMPLE.COM, CN = Certificate Authority
      Copy to Clipboard Toggle word wrap

    2. Verify the validity of your certificates:

      1. Find the user authentication certificate ID for idmuser1: 

        $ pkcs11-tool --list-objects --login
        Copy to Clipboard Toggle word wrap 
        [...]
Certificate Object; type = X.509 cert
  label:      Certificate
  subject:    DN: O=IDM.EXAMPLE.COM, CN=idmuser1
 ID: 01
        Copy to Clipboard Toggle word wrap

      2. Read the user certificate information from the smart card in DER format: 

        $ pkcs11-tool --read-object --id 01 --type cert --output-file cert.der
        Copy to Clipboard Toggle word wrap 
        Using slot 0 with a present token (0x0)
        Copy to Clipboard Toggle word wrap

      3. Convert the DER certificate to PEM format: 

        $ openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM
        Copy to Clipboard Toggle word wrap

      4. Verify the certificate has valid issuer signatures up to the CA: 

        $ openssl verify -CAfile /var/lib/ipa-client/pki/ca-bundle.pem <path>/cert.pem
cert.pem: OK
        Copy to Clipboard Toggle word wrap

  4. If your smart card contains several certificates, kinit might fail to choose the correct certificate for authentication. In this case, you need to specify the certificate ID as an argument to the kinit command using the certid=<ID> option.

    1. Check how many certificates are stored on the smart card and get the certificate ID for the one you are using: 

      $ pkcs11-tool --list-objects --type cert --login
      Copy to Clipboard Toggle word wrap 
      Using slot 0 with a present token (0x0)
Logging in to "MyEID (sctest)".
Please enter User PIN:
Certificate Object; type = X.509 cert
  label:      Certificate
  subject:    DN: O=IDM.EXAMPLE.COM, CN=idmuser1
  ID:         01
Certificate Object; type = X.509 cert
  label:      Second certificate
  subject:    DN: O=IDM.EXAMPLE.COM, CN=ipauser1
  ID:         02
      Copy to Clipboard Toggle word wrap

    2. Run kinit with certificate ID 01: 

      $ kinit -X kinit -X X509_user_identity=PKCS11:certid=01 idmuser1
      Copy to Clipboard Toggle word wrap 
      MyEID (sctest)                   PIN:
      Copy to Clipboard Toggle word wrap

  5. Run klist to view the contents of the Kerberos credentials cache: 

    $ klist
    Copy to Clipboard Toggle word wrap 
    Ticket cache: KCM:0:11485
Default principal: idmuser1@EXAMPLE.COM

Valid starting       Expires              Service principal
10/04/2021 10:50:04  10/05/2021 10:49:55  krbtgt/EXAMPLE.COM@EXAMPLE.COM
    Copy to Clipboard Toggle word wrap

  6. Destroy your active Kerberos tickets once you have finished: 

    $ kdestroy -A
    Copy to Clipboard Toggle word wrap

10.4. Increasing SSSD timeouts
Copy link

Hardware latency or complex certificate chains can cause SSSD operations to time out. Administrators extend the krb5_auth_timeout and p11_child_timeout settings in sssd.conf to enable sufficient time for smart card processing. 

krb5_child: Timeout for child [9607] reached.....consider increasing value of krb5_auth_timeout.
Copy to Clipboard Toggle word wrap

If there is a timeout entry in the log file, try increasing the SSSD timeouts as outlined in this procedure.

Prerequisites

  • You have configured your IdM Server and client for smart card authentication.

Procedure

  1. Open the sssd.conf file on the IdM client: 

    # vim /etc/sssd/sssd.conf
    Copy to Clipboard Toggle word wrap

  2. In your domain section, for example [domain/idm.example.com], add the following option: 

    krb5_auth_timeout = 60
    Copy to Clipboard Toggle word wrap

  3. In the [pam] section, add the following: 

    p11_child_timeout = 60
    Copy to Clipboard Toggle word wrap

  4. Clear the SSSD cache: 

    # sssctl cache-remove
    Copy to Clipboard Toggle word wrap 
    SSSD must not be running. Stop SSSD now? (yes/no) [yes] yes
Creating backup of local data…
Removing cache files…
SSSD needs to be running. Start SSSD now? (yes/no) [yes] yes
    Copy to Clipboard Toggle word wrap

    Once you have increased the timeouts, try authenticating again using your smart card. See Testing smart card authentication for more details.

Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top